CN104937897B - The system and method analyzed for the redundant safety eliminated to network packet - Google Patents

The system and method analyzed for the redundant safety eliminated to network packet Download PDF

Info

Publication number
CN104937897B
CN104937897B CN201380058872.7A CN201380058872A CN104937897B CN 104937897 B CN104937897 B CN 104937897B CN 201380058872 A CN201380058872 A CN 201380058872A CN 104937897 B CN104937897 B CN 104937897B
Authority
CN
China
Prior art keywords
computing device
destination computing
network
security system
network packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201380058872.7A
Other languages
Chinese (zh)
Other versions
CN104937897A (en
Inventor
S·库利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Keane Digital Co
Original Assignee
Symantec Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Symantec Corp filed Critical Symantec Corp
Publication of CN104937897A publication Critical patent/CN104937897A/en
Application granted granted Critical
Publication of CN104937897B publication Critical patent/CN104937897B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

A kind of computer implemented method for being used to eliminate the redundant safety analysis to network packet can include:(1) at least one network packet for being sent to destination computing device is intercepted at the network equipment;(2) identification is arranged on the security system on the destination computing device;(3) determine that the security system being arranged on the destination computing device is unsatisfactory for predefined safety standard;And (4) are based at least partially on the security system for determining to be arranged on the destination computing device and are unsatisfactory for the predefined safety standard, perform the safety analysis for meeting the predefined safety standard to the network packet at the network equipment.Also disclose that various other methods, system and computer-readable medium.

Description

The system and method analyzed for the redundant safety eliminated to network packet
Background technology
Computer network usually includes multiple meters that substantially similar safety analysis is performed to identical network packet Calculate equipment.For example, computer network can include promoting the net that packet is transferred to destination computing device from source computing device Close equipment.In this example, after one or more packets are received from source computing device, gateway device can be by data One or more safety analysis (such as, intruding detection system (IDS) are performed to packet before forwarding a packet to destination computing device Analysis, intrusion prevention system (IPS) analysis, anti-virus analysis, and/or fire wall analysis).However, receiving from gateway device After the packet of forwarding, destination computing device may perform identical safety analysis to data packet redundant.
Unfortunately, the analysis of these redundant safeties may consume the Internet resources of preciousness and hinder computer network to realize Optimum performance.Therefore, it is necessary to for eliminating by the redundant safety including different computing devices in a computer network point The system and method analysed without damaging the safe class provided by network.
The content of the invention
As will be described below in more detail, the disclosure relates generally to pacifies for the redundancy eliminated to network packet The system and method for complete analysis.In an example, it is a kind of to be used to eliminate the calculating for analyzing the redundant safety of network packet Machine implementation can include:(1) at least one network packet for being sent to destination computing device is intercepted at the network equipment; (2) identification is arranged on the security system on destination computing device;(3) security system being arranged on destination computing device is determined not Meet predefined safety standard;And then (4) are based at least partially on the safety for determining to be arranged on destination computing device System is unsatisfactory for predefined safety standard, and network packet is performed at the network equipment and meets predefined safety standard Safety analysis (such as, IDS analyses, IPS analyses, anti-virus analysis, and/or fire wall analysis).
In some instances, method can also include providing the server based on cloud, the server authentication based on cloud Destination computing device;The information on destination computing device is obtained (for example, the information for identifying the following:Installed in mesh The security system on computing device, the current state of the security system on destination computing device, security system are marked by most The calendar date that closely updates, the network address associated with destination computing device, and/or the brand or type of destination computing device Number);And the information on destination computing device is then stored so that the network equipment is able to access that information is arranged on to identify Security system on destination computing device.
In some instances, method can also include obtaining user certificate from the user of destination computing device.Such In example, method, which may further include, searches for being set from target calculating for the validation database associated with the server based on cloud The user certificate that standby user obtains.In addition, method, which can be included in, searches for the checking number associated with the server based on cloud According to the user certificate that identification obtains from the user of destination computing device while storehouse.
In some instances, method can also include identifying the destination-address associated with network packet.So Example in, method may further include by omparison purpose way address and being stored in the information on the server based on cloud Specified network address determines that network packet is sent to destination computing device.In addition, method can be included in determination network After packet is sent to destination computing device, identification is stored in security system specified in the information on the server based on cloud.
In some instances, method can also include providing checking token, the checking token quilt for destination computing device Guiding target computing device is configured in response to detecting at least one of the security system on destination computing device Change and update the information being stored on the server based on cloud.In such example, method may further include from mesh Mark the renewal that computing device receives modification of the identification to security system.In addition, method can include being based at least partially on reception More newly arrive renewal be stored in the information on the server based on cloud to consider the modification to security system.
In some instances, method can also include being based at least partially on safety analysis to determine that network packet is not right Destination computing device forms security risk.In such example, method may further include it is determined that network packet not After forming security risk to destination computing device, network packet is forwarded to destination computing device from the network equipment.
In some instances, method can also include being based at least partially on safety analysis to determine network packet to mesh Mark computing device and form security risk.In such example, method may further include it is determined that network packet to mesh After marking computing device composition security risk, isolation network packet (rather than network packet is forwarded to mesh from the network equipment Mark computing device).
In some instances, the security system that method can also include determining to be arranged on destination computing device meets different Predefined safety standard.In such example, method, which may further include, turns network packet from the network equipment Destination computing device is dealt into, the safety analysis of different predefined safety standards is met without being performed to network packet, because Meet different predefined safety standards for the security system on destination computing device.
In one embodiment, a kind of system for being used to implement the above method can include:(1) blocking module, its quilt It is programmed for intercepting at least one network packet for being sent to destination computing device at the network equipment;(2) identification module, it is compiled Journey is arranged on the security system on destination computing device for identification;(3) determining module, it is programmed to determine to be arranged on target meter The security system calculated in equipment is unsatisfactory for predefined safety standard;And (4) security module, it is programmed at least in part Predefined safety standard is unsatisfactory for based on the security system for determining to be arranged on destination computing device, to net at the network equipment Network packet performs the safety analysis for meeting predefined safety standard.
In some instances, the above method can be encoded as the computer in non-transitory computer-readable storage media Readable instruction.For example, non-transitory computer-readable storage media can include one or more computer executable instructions, institute Instruction is stated by the network equipment can be made during at least one computing device of the network equipment:(1) interception is sent to target calculating and set Standby at least one network packet;(2) identification is arranged on the security system on destination computing device;(3) determine to be arranged on mesh Security system on mark computing device is unsatisfactory for predefined safety standard;And (4) are based at least partially on determination and are arranged on Security system on destination computing device is unsatisfactory for predefined safety standard, and network packet is performed and meets predefined peace The safety analysis of full standard.
According to General Principle described herein, the feature from any of above embodiment, which can be combined with each other, to be made With.Combine drawings and claims read it is described in detail below after, will be more fully appreciated these and other embodiments, Feature and advantage.
Brief description of the drawings
Accompanying drawing shows many illustrative embodiments and is part for specification.Together with following description, these are attached Figure shows and explains the various principles of the disclosure.
Fig. 1 is the block diagram for the example system analyzed for the redundant safety eliminated to network packet.
Fig. 2 is the block diagram for the example system analyzed for the redundant safety eliminated to network packet.
Fig. 3 is the flow chart for the illustrative methods analyzed for the redundant safety eliminated to network packet.
Fig. 4 is destined for the exemplary network packet of destination computing device and the exemplary letter on destination computing device The diagram of breath.
Fig. 5 is the exemplary computer system that can implement one or more embodiments that are described herein and/or showing Block diagram.
Fig. 6 is the example calculation network that can implement one or more embodiments that are described herein and/or showing Block diagram.
In whole accompanying drawing, identical reference character is similar with description instruction but the element that is not necessarily the same.Although this paper institutes The illustrative embodiments of description are susceptible to various modifications and alternative forms, but are had shown that specifically by the example in accompanying drawing Embodiment will simultaneously describe in detail herein.However, The exemplary embodiments described herein is not intended to be limited to institute Disclosed particular form.On the contrary, the disclosure covers all modifications form, equivalent shape within the scope of the appended claims Formula and alternative form.
Embodiment
The disclosure relates generally to the system and method analyzed for the redundant safety eliminated to network packet.Such as will be Explain in more detail below, include computing device in a computer network by verifying, various systems described herein and The computing device that method can be provided by checking can expose its security capabilities and/or leak and be not present and be joined by hostile network The secured computing environment of the risk utilized with person.By provide by checking computing device can expose its security capabilities and/ Or leak and in the absence of the secured computing environment of risk utilized by hostile network participant, various systems described herein and Method can also make the network equipment (such as, network gateway) can determine the safety system on the computing device by checking Whether system meets predefined safety standard.
In addition, by making the network equipment can determine whether the security system on the computing device by checking is full The predefined safety standard of foot, various systems and methods described herein can be eliminated to being sent to the computing device by checking Network packet redundant safety analysis.In addition, by eliminating the network packet to being sent to the computing device by checking Redundant safety analysis, various systems and methods described herein can aid in protection Internet resources and/or improve calculate The overall performance of machine network.
The exemplary system analyzed the redundant safety for eliminating to network packet is provided hereinafter with reference to Fig. 1 to Fig. 2 The detailed description of system.The detailed description to corresponding computer implemented method will be provided with reference to Fig. 3.It will be provided with reference to Fig. 4 to hair The detailed description of exemplary information toward the exemplary network packet of destination computing device and on destination computing device.Separately Outside, the example calculation to one or more embodiments described herein can be implemented will be provided respectively in connection with Fig. 5 and Fig. 6 The detailed description of system and network architecture.
Fig. 1 is the block diagram for the example system 100 analyzed for the redundant safety eliminated to network packet.So figure Shown in, example system 100 can include being used for the one or more modules 102 for performing one or more tasks.For example, simultaneously And as that will be explained in greater detail below, example system 100 can include blocking module 104, blocking module 104 is programmed to At least one network packet for being sent to destination computing device is intercepted at the network equipment.Example system 100 can also include Identification module 106, identification module 106 are programmed to the security system that identification is arranged on destination computing device.
In addition, and such as will be described in greater detail below, example system 100 can include determining that module 108, it is determined that The security system that module 108 is programmed to determine to be arranged on destination computing device is unsatisfactory for predefined safety standard.Example Sexual system 100 can also include security module 110, and security module 110, which is programmed to be based at least partially on, to be determined to be arranged on mesh Security system on mark computing device is unsatisfactory for predefined safety standard, and satisfaction is performed to network packet at the network equipment The safety analysis of predefined safety standard.
In addition, and such as will be described in greater detail below, example system 100 can include authentication module 112, checking Module 112 is programmed to verify destination computing device.Example system 100 can also include information module 114, information module 114 are programmed to acquisition on the information of destination computing device and store the information on destination computing device so that network is set It is standby to be able to access that information, to identify the security system being arranged on destination computing device.Although one or more of Fig. 1 moulds Block 102 is shown as single element, but module 102 can represent individual module or application program (such as, Symantec (SYMANTEC) network security) some.
In some embodiments, one or more of Fig. 1 modules 102 can represent one or more software application journeys Sequence or program, the software application or program can make computing device one or more when by computing device Task.For example, and such as will be described in greater detail below, one or more modules 102 can represent software module, described soft Part module is stored and is configured to that (such as, the equipment shown in Fig. 2 is (for example, target meter in one or more computing devices Calculate equipment 202, the server 206 based on cloud, and/or the network equipment 208)), the computing system 510 in Fig. 5, and/or in Fig. 6 Example network architecture 600 some on run.One or more of Fig. 1 modules 102 can also represent quilt It is configured to perform the whole or some of one or more special-purpose computers of one or more tasks.
As shown in fig. 1, example system 100 can also include one or more network packets, such as network data Bag 118.For example, network packet 118 can include all or part of data for representing file.In this example, net Network packet 118 can include payload and/or metadata (such as, identifies the source of payload and/or the number of destination According to).In addition, the source that network packet 118 can come from internet or be included in computer network (such as, in-house network) calculates Equipment.
Example system 100 in Fig. 1 can be implemented with various ways.For example, the whole of example system 100 or one Part can represent some of the example system 200 in Fig. 2.As shown in Figure 2, system 200 can include via net The network equipment 208 that server 206 of the network 204 with destination computing device 202 and based on cloud communicates.
The network equipment 208 can be programmed with one or more modules 102, and/or can have and be sent to target calculating The intercepted network packet 118 of equipment 202.Additionally or alternatively, the server 206 based on cloud can be programmed with one Individual or multiple modules 102, and/or can store information 210 on destination computing device 202 all or part of and/or For verifying the validation database 212 of destination computing device 202.Additionally or alternatively, destination computing device 202 can include peace Total system 216, and/or for promoting renewal to be stored in the checking token 214 of information 210 on the server 206 based on cloud.
In one embodiment, one or more modules 102 from Fig. 1 can be by the network equipment 208 and/or base The network equipment 208 and/or the server 206 based on cloud is promoted to disappear when at least one computing device of the server 206 of cloud Except the redundant safety analysis to network packet.For example, and such as it will be described in greater detail below, one or more modules 102 can make the network equipment 208 and/or the server 206 based on cloud:(1) the network number for being sent to destination computing device 202 is intercepted According to bag 118;(2) identification is arranged on the security system 216 on destination computing device 202;(3) determine to be arranged on destination computing device Security system 216 on 202 is unsatisfactory for predefined safety standard;And (4) are based at least partially on determination and are arranged on target Security system 216 on computing device 202 is unsatisfactory for predefined safety standard, and network packet 118 is performed and meets to make a reservation for The safety analysis of the safety standard of justice.
Destination computing device 202 typicallys represent the calculating of any types or form that can read computer executable instructions Equipment.The example of computing device 202 includes but is not limited to:Laptop computer, tablet PC, desktop computer, server, In cell phone, personal digital assistant (PDA), multimedia player, embedded system, said one or multiple combinations, Fig. 5 Exemplary computer system 510, and/or any other suitable computing device.
Server 206 based on cloud typically represent be able to verify that including other computing devices in a computer network and/ Or any class of the storage on one or more computing devices of the information including other computing devices in a computer network The set of type or form.The example of server 206 based on cloud includes but is not limited to:It is configured to run some software application journeys Sequence and/or apps server, the webserver, the storage service that various networks, storage and/or database service are provided Device, and/or database server.
The network equipment 208, which typicallys represent, to be intercepted, forward network packet and/or otherwise promote network number According to bag any types of another computing device or the computing device of form are transferred to from a computing device.The network equipment 208 Example include but is not limited to:It is network gateway, default gateway, router, node, laptop computer, tablet PC, desk-top Computer, server, cell phone, personal digital assistant (PDA), multimedia player, embedded system, said one or more Exemplary computer system 510 in individual combination, Fig. 5, and/or any other network equipment.
Network 204 typicallys represent any medium or architecture that can promote communication or data transmission.The reality of network 204 Example includes but is not limited to:In-house network, TCP/IP networks, wide area network (WAN), LAN (LAN), PAN (PAN), interconnection Exemplary network in net, power line communication (PLC), cellular network (for example, global system for mobile communications (GSM) network), Fig. 6 Architecture 600 etc..Network 204 can promote to transmit using the communication or data that wirelessly or non-wirelessly connect.In an implementation In mode, network 204 can promote between the network equipment 208, destination computing device 202 and/or server 206 based on cloud Communication.
Security system 216 typicallys represent the fail-safe software of any types or form, and it, which is configured to protect, is stored in calculating The good operation of any information in equipment and/or protection information exempt from the destruction of potential rogue activity.Security system 216 Example includes but is not limited to:Independent security system, the security client for being incorporated to distribution or the security system based on cloud, anti-disease Malicious security system (for example, the promise of Symantec anti-virus), internet security systems are (for example, the promise of Symantec interconnection Net safety), network safety system (for example, network security of Symantec), firewall security system, said one or multiple Combination, and/or any other suitable security system.
Fig. 3 is the stream for the illustrative computer implementation 300 analyzed for the redundant safety eliminated to network packet Cheng Tu.The step of shown in Fig. 3, can be performed by any suitable computer-executable code and/or computing system.One Can be by the system 100 in Fig. 1, the system 200 in Fig. 2, the calculating system in Fig. 5 in a little embodiments, the step of shown in Fig. 3 One or more of multiple components of example network architecture 600 in 510 and/or Fig. 6 of system perform.
As shown in Figure 3, it can intercept and be sent in one or more of step 302, various systems described herein At least one network packet of destination computing device.For example, blocking module 104 can block as the part of the network equipment 208 Cut the network packet 118 for being sent to destination computing device 202.In this example, network packet 118 can include representing extremely The all or part of data of a few file.
System as described herein can perform step 302 with various ways.In an example, destination computing device 202 can submit request to obtain some data on the computing device for the network-external for being stored in destination computing device.For example, Destination computing device 202 can submit request (not show in Fig. 2 via the server of the addressable website in internet from trustship Go out) download specific file.In this example, server can be initiated network packet 118 being transferred in response to request Destination computing device 202.Network packet 118 can include representing the file asked from server by destination computing device 202 All or part of data.
As shown in Figure 4, network packet 118 can include:Metadata, it is specified with including in a computer network The associated destination-address (in this example, " A0-88-B4-78-4D-08 ") of destination computing device;And effectively carry Lotus, all or part of data of its at least one file for including representing to be downloaded by destination computing device are (in this reality In example, " 0x1738F12A ":To " 0xD128B379 ").In an example, the destination identified in the metadata of packet Address can include medium plan (MAC) address for being assigned to destination computing device 202.
Destination computing device 202 is reached all the way as network packet 118 enters computer network, and blocking module 104 can With the intercepting network data package 118 at the network equipment 208.For example, as network packet 118 is towards destination computing device 202 Advance, blocking module 104 can at the network equipment 208 receiving network data bag 118.In this example, and such as will be It is described in more detail below, the network equipment 208 with network data package 118 and can prevent network packet 118 towards mesh Mark computing device 202 advances, and whether meets predetermined safety post at least up to the security capabilities for determining destination computing device 202 It is accurate.
In some instances, the network equipment 208 can represent gateway, its enable destination computing device 202 receive and/or Access the data being stored on the different computing devices being included in same computer network or different computer networks.One In individual example, the network equipment 208 can serve as the fire wall of computer network.Additionally or alternatively, the network equipment 208 can fill When the interface for implementing the communication protocol different from the computer network including destination computing device 202.
As shown in Figure 3, installation can be identified in one or more of step 304, various systems described herein Security system on destination computing device.For example, identification module 106 can identify installation as the part of the network equipment 208 Security system 216 on destination computing device 202.In this example, security system 216 may be configured to protection storage The good operation of information on destination computing device 202 and/or protection information exempt from the destruction of potential rogue activity.
System as described herein can perform step 304 with various ways.In some instances, identification module 106 can To access on the information of destination computing device 202 to identify the security system being arranged on destination computing device 202.For example, Identification module 106 can access the information 210 on destination computing device 202 to the request of server 206 based on cloud.At this In example, the server 206 based on cloud can examine the network equipment 208 before identification module 106 is able to access that information 210 Whether there is enough administrative powers to access the information on destination computing device 202.Examined in the server 206 based on cloud After the network equipment 208 has enough administrative powers, identification module 106, which can access, to be stored on the server 206 based on cloud Information 210 with identify be arranged on destination computing device 202 on security system.
As shown in Figure 4, information 210 can specify particular computing device (in this example, " destination computing device 202 "), it is assigned to the network address (in this example, " A0-88-B4-78-4D-08 ") of computing device, installed in calculating Security system (in this example, " promise of Symantec anti-virus "), the safety of installation on the computing device in equipment The current state (in this example, " unlatching ") of system, the date of the newest security update of security system are (in this example In, " 09/15/2012 "), and the brand of computing device and/or model (in this example, " association THINKPAD T430”)。
In an example, identification module 106 can identify specified destination in the metadata of network packet Address.For example, identification module 106 can analyze the metadata being included in network packet 118, and it is based at least partially on This is analyzed to determine that network packet 118 is sent to the computing device associated with network address " A0-88-B4-78-4D-08 ". In this example, identification module 106 can compare in the metadata of network packet specified destination-address with Specified network address " A0-88-B4-78-4D-08 " in information 210.Then, identification module 106 can at least part ground Relatively determine that network packet 118 is sent to destination computing device 202 in this.
In an example, after it is determined that network packet 118 is sent to destination computing device 202, identification module 106 can be with Identification is arranged on the security system on destination computing device 202.For example, identification module 106 may search for being arranged on target calculating The information 210 of security system in equipment 202.In this example, identification module 106 can be arranged on target in search and calculate Security system 216 is identified while information 210 of security system in equipment 202.
Additionally or alternatively, identification module 106 can determine that no security system is currently installed in destination computing device 202 On.For example, destination computing device 202 may also be fitted without security system.In this example, identification module 106 can be searched Rope is arranged on the information on destination computing device 202 of any security system on destination computing device 202.Then, identify Module 106 may fail identification while information of the search on destination computing device 202 and be arranged on destination computing device 202 On any security system.
In some instances, the server 206 based on cloud, which can be verified, is included in one or more of computer network Computing device.For example, authentication module 112 can add computer network posteriority as the part of the server 206 based on cloud Demonstrate,prove destination computing device 202 and/or the network equipment 208.Destination computing device is verified by using the server 206 based on cloud 202 and/or the network equipment 208, authentication module 112 may insure that computer network provides destination computing device 202 and/or network Equipment 208 can expose its security capabilities and/or leak and be counted in the absence of the safety of the risk utilized by hostile network participant Calculate environment.
In an example, authentication module 112 can obtain user certificate from the user of destination computing device 202.For example, Authentication module 112 can enable the user of destination computing device 202 create the user name associated with computer network and close Code.In this example, authentication module 112 and then can be by the user name and close of user's establishment by destination computing device 202 Code is stored in validation database 212.
In an example, authentication module 112 can obtain the username and password of the user of destination computing device 202 (at least one occasion), to verify destination computing device 202 using the server 206 based on cloud.For example, the network equipment 208 can detect that destination computing device 202 attempts to join computer network.In this example, target calculating is being detected After equipment 202 attempts to join computer network, the network equipment 208 can be with the user name of the user of request target computing device 202 And password.
In an example, the network equipment 208 can receive the use of the user of destination computing device 202 in response to request Name in an account book and password.In this example, after the username and password of user of destination computing device 202 is received, the network equipment 208 can be supplied to username and password authentication module 112.Authentication module 112 may then pass through search validation database 212 username and password and username and password is identified during search, use the server 206 based on cloud to verify target Computing device 202.
In similar example, authentication module 112 can obtain user certificate from the user of the network equipment 208.For example, test Card module 112 can enable the network manager associated with the network equipment 208 create the use associated with computer network Name in an account book and password.In this example, then authentication module 112 can deposit the username and password created by network manager Storage is in validation database 212.
In an example, authentication module 112 can obtain the user of the network manager associated with the network equipment 208 Name and password (at least one occasion), to verify the network equipment 208 using the server 206 based on cloud.For example, network pipe Reason person can start the network equipment 208 to start to promote transmission of the packet in computer network.In this example, opening During dynamic process, the network equipment 208 can ask the username and password of the network manager associated with the network equipment 208.
In an example, the network equipment 208 can in response to request the username and password of receiving network managing person. In this example, after the username and password of receiving network managing person, the network equipment 208 can carry username and password Supply authentication module 112.Authentication module 112 may then pass through the username and password of search validation database 212 and Username and password is identified during search, the network equipment 208 is verified using the server 206 based on cloud.
In some instances, the server 206 based on cloud can be used from one or more of computer network is included in Family and/or computing device obtain information 210.For example, information module 114 can be looked into as the part of the server 206 based on cloud Ask the information on destination computing device 202 of destination computing device 202 and/or the network equipment 208.Additionally or alternatively, believe Breath module 114 can inquire about destination computing device 202 user and/or the keeper associated with the network equipment 208 on The information of destination computing device 202.In response to these inquiries, information module 114 (can such as, surpass via secure communication protocols Text-safe transportation protocol (HTTPS)) information of the reception on destination computing device 202, and will be on destination computing device 202 information is stored as the information 210 on the server 206 based on cloud.
In some instances, authentication module 112 can provide checking order during verification process for destination computing device 202 Board.For example, authentication module 112, which can be destination computing device 202, provides checking token 214, checking token 214 is configured to draw Lead the fresh information 210 of destination computing device 202.In an example, verify that token 214 can be with guiding target computing device 202 The periodically fresh information 210 (for example, weekly).In another example, verify that token 214 can be with guiding target computing device 202 in response to detecting at least one modification to security system 216 (for example, security update, the current state of security system Change, and/or new security system) or network address to equipment at least one modification (for example, new network address) and Fresh information 210.
In an example, it can be that authentication module 112 provides identification with guiding target computing device 202 to verify token 214 The renewal of modification to security system 216 or the network address of equipment.In this example, authentication module 112 can be via peace Full communication agreement receives from destination computing device 202 to be updated.Then authentication module 112 can be based at least partially on from target meter That calculates the reception of equipment 202 more newly arrives fresh information 210 to consider the modification to security system 216 or the network address of equipment.
As shown in Figure 3, can determine to install in one or more of step 306, various systems described herein Security system on destination computing device is unsatisfactory for predefined safety standard.For example, determining module 108 can be used as network The security system 216 that the part of equipment 208 determines to be arranged on destination computing device 202 is unsatisfactory for predefined safety standard. The security system that phrase " predefined safety standard " used herein generally refers to be arranged on destination computing device can The qualification or requirement of any types or form of particular safety analysis are performed to network packet.
System as described herein can perform step 306 with various ways.In some instances, determining module 108 can To identify the predefined safety standard forced by computer network.In such example, determining module 108 can determine pre- The safety standard requirement network packet 118 of definition undergoes particular safety analysis.The example of this safety analysis includes but unlimited In:One or more specific ID S analyses, IPS analyses, anti-virus analysis, fire wall analysis, the safety analysis based on prestige, base In didactic safety analysis, the safety analysis based on signature, said one or multiple combinations, and/or any other is suitable Safety analysis.
In some instances, determining module 108 can be accessed on the security system on destination computing device 202 216 information is to determine whether security system 216 meets predefined safety standard.For example, determining module 108 can access pass In the information for the security system 216 being locally stored on the network equipment 208.In another example, determining module 108 can access On the information for the security system 216 being remotely stored on the server 206 based on cloud.In another example, determining module 108 Can be via information of the internet access on security system 216.
In some instances, after the information on security system 216 is accessed, determining module 108 can compare on peace The information of total system 216 and predefined safety standard, to determine whether security system 216 is able to carry out by predefined at present Safety analysis needed for safety standard.For example, determining module 108 can identify the meaning in the information on security system 216 The security capabilities of fixed security system 216.In this example, determining module 108 can compare the safe energy of security system 216 Power with as the safety analysis needed for predefined safety standard.
Then, it is determined that module 108, which can be based at least partially on this, relatively determines that security system 216 can not be held at present Row is as the safety analysis needed for predefined safety standard.Such as it will be described in greater detail below, by determining to be arranged on target Security system 216 on computing device 202 meets predefined safety standard, and determining module 108 can enable security module 110 Enough eliminate is analyzed the redundant safety that network packet 118 performs.
In some instances, determining module 108 can also determine that security system 216 meets different safety standards.For example, Determining module 108 can identify the different safety standards forced by computer network.In this example, determining module 108 It can determine that different predefined safety standard requirement network packets 118 undergoes different safety analyses.This is different The example of safety analysis includes but is not limited to:One or more specific ID S analyses, IPS analyses, anti-virus analysis, fire wall point Analysis, the safety analysis based on prestige, based on didactic safety analysis, the safety analysis based on signature, said one or multiple Combination, and/or any other suitable safety analysis.
In an example, determining module 108 can compare information on security system 216 from it is different predefined Safety standard.In this example, determining module 108 can be based at least partially on this and relatively determine security system 216 It is able to carry out at present as the different safety analyses needed for different predefined safety standards.
In instantiation, determining module 108 can determine that security system 216 can not be performed by predefined safety standard Required specific ID S and IPS analysis (because such as security system 216 does not perform any IDS or IPS analysis, or by security system 216 IDS performed and IPS analyses are out-of-date).However, determining module 108 can also determine to be arranged on destination computing device Security system 216 on 202 is able to carry out as the specific anti-virus and fire wall needed for different predefined safety standards point Analysis.
As shown in Figure 3, can be at least partly in one or more of step 308, various systems described herein Ground is unsatisfactory for predefined safety standard based on the security system for determining to be arranged on destination computing device, and network packet is held Row meets the safety analysis of predefined safety standard.For example, security module 110 can as the network equipment 208 part extremely It is at least partly based on the security system 216 for determining to be arranged on destination computing device 202 and is unsatisfactory for predefined safety standard, it is right Network packet 118 performs the safety analysis for meeting predefined safety standard.In other words, security module 110 can be in net Safety analysis is performed to network packet 118 at network equipment 208, because the security system on destination computing device 202 216 can not perform as the safety analysis needed for predefined safety standard at present.
System as described herein can perform step 308 with various ways.In some instances, security module 110 can To perform safety analysis to network packet 118 before network packet 118 is forwarded into destination computing device 202.One In individual example, security module 110 can be based at least partially on safety analysis to determine that network packet 118 is not calculated target Equipment 202 forms known security risk.In this example, security module 110 and then can be by network packet 118 from net Network equipment 208 is forwarded to destination computing device 202 because network packet 118 destination computing device 202 is not formed it is known Security risk.
In another example, security module 110 can be based at least partially on safety analysis to determine network packet 118 Known security risk is formed to destination computing device 202.In this example, security module 110 then can be with isolation network Packet 118 (for example, by preventing network packet 118 from proceeding to destination computing device 202), rather than by network packet 118 are forwarded to destination computing device 202 from the network equipment 208.
In some instances, meet in response to the security system 216 for determining to be arranged on destination computing device 202 different Network packet 118 can be forwarded to target calculating from the network equipment 208 and set by predefined safety standard, security module 110 Standby 202, without different safety analyses is performed to network packet 118 at the network equipment 208.In other words, security module 110 can abandon performing network packet 118 the different safety analyses as needed for different predefined safety standards, because Different safety analyses can be performed to network packet 118 for the security system 216 on destination computing device 202.
In instantiation, security module 110 can be performed as needed for predefined safety standard to network packet 118 IDS and IPS analyses because the security system 216 on destination computing device 202 can not perform these IDS and IPS point Analysis.On the contrary, network packet 118 can be forwarded to destination computing device 202 by security module 110, without performing by different Specific anti-virus and fire wall analysis needed for predefined safety standard, because the peace on destination computing device 202 Total system 216 is able to carry out these anti-virus and fire wall analysis.
Explained that computer network can be eliminated to being sent to the calculating by checking as explained above with the method 300 in Fig. 3 The redundant safety analysis of the network packet of equipment.For example, can provide can by the computing device of checking for computer network Expose its security capabilities and/or leak and the secured computing environment of the risk utilized by hostile network participant is not present.Work as meter When the user of calculation equipment attempts to join computer network, user may need to use the server based on cloud of network to perform to it The disposable checking of computing device.During this verification process, the computing device of user can be the clothes based on cloud of network Business device provides the information for any security system that identification is currently installed on computing device.
Then server based on cloud can provide information to net from the computing device receive information of user according to request The gateway device of network.For example, the user of computing device can attempt to from loading internet document.As file enters computer network Network reaches the computing device of user all the way, and the gateway device of network can intercept file and inquire about the knowledge of the server based on cloud The information of security system that An Zhuan be on the computing device of user.In response to come automatic network gateway device this inquiry, Server based on cloud can provide the information of security system of the identification on the computing device of user for gateway device.
The gateway device of network can be from the server receive information based on cloud, and then use information determines the meter of user Calculate the predefined safety standard whether equipment meets to be forced by computer network.For example, gateway device can with comparison information with Predefined safety standard, to determine whether the security system on the computing device of user is able to carry out by making a reservation at present At least one safety analysis needed for the safety standard of justice.In this example, gateway device can be based at least partially on ratio Relatively determine that security system can not perform as the safety analysis needed for predefined safety standard at present.It is determined that security system mesh Before can not perform safety analysis after, gateway device can perform peace before file is forwarded into the computing device of user to file Complete analysis.
By determining that the security system on the computing device of user can not perform safety analysis, gateway device at present The different computing devices that may insure to include in a computer network do not perform identical safety analysis to file redundancy.Separately Outside, identical is not performed by the different computing devices for ensuring to include in a computer network to divide safely to file redundancy Analysis, gateway device can aid in protection Internet resources and/or improve the overall performance of network.
Fig. 5 is the exemplary computer system that can implement one or more embodiments that are described herein and/or showing 510 block diagram.For example, all or part of of computing system 510 can be combined to perform individually or with other elements And/or described herein intercept, identify, determine, perform, provide, verify, obtain, store, search to perform as a kind of means Rope, compare, receive, updating, forwarding and one or more of isolation step.All or part of of computing system 510 also may be used To perform and/or be performed as a kind of means described herein and/or explanation any other step, method or process.
Computing system 510 broadly represents to be able to carry out any uniprocessor or multiprocessor meter of computer-readable instruction Calculate equipment or system.The example of computing system 510 includes but is not limited to:Work station, laptop computer, client-side terminal, Server, distributed computing system, handheld device, or any other computing system or equipment.In its most basic configuration, meter Calculation system 510 can include at least one processor 514 and system storage 516.
Processor 514 typicallys represent being capable of processing data or interpretation and any types of execute instruction or the processing list of form Member.In some embodiments, processor 514 can receive instruction from software application or module.These instructions can make Processor 514 performs the function of one or more illustrative embodiments that are described herein and/or showing.
System storage 516 typically represent any types of being capable of data storage and/or other computer-readable instructions or The volatibility or non-volatile memory device or medium of form.The example of system storage 516 includes but is not limited to:Arbitrary access Memory (RAM), read-only storage (ROM), flash memory, or any other suitable memory devices.Although do not really want Ask, but in some embodiments, computing system 510 can include volatile memory-elements simultaneously (for example, system is deposited Reservoir 516) and non-volatile memory device (for example, main storage device 532, as described in detail).In an example, come Can be with loaded into system memory 516 from Fig. 1 one or more modules 102.
In some embodiments, in addition to processor 514 and system storage 516, exemplary computer system 510 also may be used With including one or more assemblies or element.For example, as shown in Figure 5, computing system 510 can include Memory Controller 518th, input/output (I/O) controller 520 and communication interface 522, can each of wherein enter via the communications infrastructure 512 Row interconnection.The communications infrastructure 512 typicallys represent appointing for the communication between the one or more assemblies that can promote computing device The infrastructure of what type or form.The example of the communications infrastructure 512 includes but is not limited to:Communication bus (such as, industry mark Quasi- architecture (ISA), peripheral component interconnection (PCI), PCI Express (PCIe), or similar bus) and network.
Memory Controller 518 typicallys represent one for can handling memory or data or controlling computing system 510 Or any types of the communication between multiple components or the equipment of form.For example, in some embodiments, Memory Controller 518 can be between the control processor 514 of the communications infrastructure 512, system storage 516 and I/O controllers 520 it is logical Letter.
I/O controllers 520 typically represent any class of the input that can coordinate and/or control computing device and output function The module of type or form.For example, in some embodiments, I/O controllers 520 can control or promote computing system 510 Between one or more elements data transmission, the element such as processor 514, system storage 516, communication interface 522, Display adapter 526, input interface 530, and memory interface 534.
Communication interface 522 broadly represents that exemplary computer system 510 and one or more extra equipment can be promoted Between any types of communication or the communication equipment of form or adapter.For example, in some embodiments, communication interface 522 can promote the communication between computing system 510 and special or public network including extra computing system.Communication interface 522 example includes but is not limited to:Wired network interface (such as, NIC), radio network interface (such as, wireless network Network interface card), modem, and any other suitable interface.In at least one embodiment, communication interface 522 It is able to will be directly connected to be supplied to remote server via the direct link to network (such as, internet).Communication interface 522 Can be for example, by LAN (such as, Ethernet), PAN, phone or cable system, cell phone connection, satellite number This connection is provided indirectly according to connection or any other suitable connection.
In some embodiments, communication interface 522 can also represent host adapter, and the host adapter is configured Promote into via external bus or communication channel between computing system 510 and one or more extra networks or storage device Communication.The example of host adapter includes but is not limited to:Small computer system interface (SCSI) host adapter, general serial Bus (USB) host adapter, the host adapter of Institute of Electrical and Electric Engineers (IEEE) 1394, Advanced Technology Attachment (ATA), Parallel ATA (PATA), serial ATA (SATA), and outside SATA (eSATA) host adapter, fibre channel interface Adapter, Ethernet Adaptation Unit etc..Communication interface 522 can also allow computing system 510 to be engaged in distributed or remote computation. For example, communication interface 522 can receive instruction from remote equipment or send an instruction to remote equipment to perform.
As shown in Figure 5, computing system 510 can also include at least one display device 524, display device 524 via Display adapter 526 is coupled to the communications infrastructure 512.Display device 524 typically represent can visually show it is suitable by showing Any types of information or the equipment of form that orchestration 526 forwards.Similarly, display adapter 526, which typicallys represent, is configured to Forwarded from the communications infrastructure 512 (or from frame buffer as known in the art) for being shown on display device 524 The equipment of figure, any types of text and other data or form.
As shown in Figure 5, exemplary computer system 510 can also include at least one input equipment 528, input equipment 528 are coupled to the communications infrastructure 512 via input interface 530.Input equipment 528 typicallys represent can be by computer or artificial The input of generation is supplied to any types of exemplary computer system 510 or the input equipment of form.The example of input equipment 528 Including but not limited to:Keyboard, sensing equipment, speech recognition device, or any other input equipment.
As shown in Figure 5, exemplary computer system 510 can also include being coupled to communication infrastructure via memory interface 534 The main storage device 532 and backup storage device 533 of facility 512.Storage device 532 and 533 typicallys represent being capable of data storage And/or any types of other computer-readable instructions or the storage device of form or medium.For example, storage device 532 and 533 Can be disc driver (for example, so-called hard disk drive), solid-state drive, floppy disk, tape drive, CD Driver, flash drive etc..Memory interface 534 is typicallyed represent in storage device 532 and 533 and computing system 510 Other assemblies between transmit data any types or form interface or equipment.In an example, the data from Fig. 2 Storehouse 212 can be stored in main storage device 532.
In some embodiments, storage device 532 and 533 may be configured to from removable memory module read and/ Or removable memory module is written to, the removable memory module is configured to store computer software, data, or other meters Calculation machine readable information.The example of suitable removable memory module includes but is not limited to:Floppy disk, tape, CD, flash memory Equipment etc..Storage device 532 can also include other similar structures or equipment with 533, and the structure or equipment are used to permit Perhaps computer software, data or other computer-readable instructions are loaded into computing system 510.For example, the He of storage device 532 533 may be configured to read and write software, data, or other computer-readable informations.Storage device 532 and 533 also may be used To be a part for computing system 510 or can be the single equipment being accessed by other interface systems.
Many other equipment or subsystem may be coupled to computing system 510.On the contrary, all component shown in Fig. 5 Need not exist with equipment to put into practice embodiment that is described herein and/or showing.Equipment mentioned above and subsystem also may be used To be interconnected in a manner of different from shown in Fig. 5.Computing system 510 can also utilize any amount of software, firmware and/ Or hardware configuration.For example, one or more illustrative embodiments disclosed herein can be encoded as computer-readable deposit Computer program (also referred to as computer software, software application, computer-readable instruction, or computer on storage media Control logic).Phrase " computer-readable recording medium " generally refers to store or carry any of computer-readable instruction Equipment, carrier or the medium of form.The example of computer-readable recording medium includes but is not limited to:Transmission type media, such as carry Ripple;And non-transitory type medium, such as magnetic-based storage media (for example, hard disk drive and floppy disk), optical storage medium (example Such as, compact disk (CD) or digital video disk (DVD)), electronic storage medium (for example, solid-state drive and flash media), With other compartment systems.
Computer-readable recording medium comprising computer program can be loaded into computing system 510.It is stored in calculating Computer program on machine readable storage medium storing program for executing all or part of then can be stored in system storage 516 and/or In each several part of storage device 532 and 533.When the computer program being loaded into computing system 510 is performed by processor 514, The computer program can make processor 514 perform and/or perform as a kind of means described herein and/or show The function of one or more illustrative embodiments.Additionally or alternatively, one or more that is described herein and/or showing is shown Example property embodiment can be implemented with firmware and/or hardware.For example, computing system 510 may be configured to be adapted for carrying out this The application specific integrated circuit (ASIC) of one or more illustrative embodiments disclosed in text.
Fig. 6 is the block diagram of example network architecture 600, wherein FTP client FTP 610,620 and 630 and service Device 640 and 645 may be coupled to network 650.As detailed above, all or part of of network architecture 600 can be individually Or it is combined with other elements and disclosed herein intercept, identifies, determines, holds to perform and/or be performed as a kind of means Go, provide, verifying, obtaining, storing, searching for, comparing, receiving, updating, forwarding and one or more of isolation step.Network All or part of of architecture 600 can be used for performing and/or perform what is illustrated in the disclosure as a kind of means Other steps and feature.
FTP client FTP 610,620 and 630 typicallys represent the computing device or system of any types or form, such as Fig. 5 In exemplary computer system 510.Similarly, server 640 and 645, which typicallys represent, is configured to provide various database services And/or the computing device or system of some software applications of operation, such as apps server or database server.Net Network 650 typicallys represent any telecommunications or computer network, including such as in-house network, WAN, LAN, PAN or internet.In a reality In example, FTP client FTP 610,620 and/or 630 and/or server 640 and/or 645 can include the system 100 from Fig. 1 All or part of.
As shown in Figure 6, one or more storage devices 660 (1)-(N) can be attached directly to server 640.It is similar Ground, one or more storage devices 670 (1)-(N) can be attached directly to server 645.Storage device 660 (1)-(N) and deposit Storage (1)-(N) of equipment 670 typicallys represent any types for being capable of data storage and/or other computer-readable instructions or form Storage device or medium.In some embodiments, storage device 660 (1)-(N) and storage device 670 (1)-(N) can be with tables Show network attached storage (NAS) equipment, network attached storage (NAS) equipment is configured to use various agreements, such as net Network file system (NFS), Server Message Block (SMB) or CIFS (CIFS) enter with server 640 and 645 Row communication.
Server 640 and 645 can also be connected to storage area network (SAN) structure 680.SAN fabric 680 typicallys represent Any types of the communication between multiple storage devices or the computer network of form or architecture can be promoted.SAN fabric 680 can promote leading between server 640 and 645 and multiple storage devices 690 (1)-(N) and/or intelligent storage array 695 Letter.SAN fabric 680 can also promote FTP client FTP in this way via network 650 and server 640 and 645 610th, the communication between 620 and 630 and storage device 690 (1)-(N) and/or intelligent storage array 695:Equipment 690 (1)-(N) Equipment is locally-attached with what array 695 was rendered as FTP client FTP 610,620 and 630.With storage device 660 (1)-(N) and depositing It is identical to store up equipment 670 (1)-(N), storage device 690 (1)-(N) and intelligent storage array 695 typically represent being capable of data storage And/or any types of other computer-readable instructions or the storage device of form or medium.
In some embodiments, and reference picture 5 exemplary computer system 510, communication interface is (such as, in Fig. 5 Communication interface 522) it can be used for providing connectivity between each FTP client FTP 610,620 and 630 and network 650.Client End system 610,620 and 630 may can using such as web browser or other client softwares come access server 640 or Information on 645.This software can allow FTP client FTP 610,620 and 630 access by server 640, server 645, Storage device 660 (1)-(N), storage device 670 (1)-(N), storage device 690 (1)-(N) or the trustship of intelligent storage array 695 Data.Although Fig. 6 describes using network (such as, internet) to exchange data, described herein and/or explanation reality The mode of applying is not limited to internet or any specific network environment.
In at least one embodiment, the whole of one or more illustrative embodiments disclosed herein or one It point can be encoded as computer program and be loaded into server 640, server 645, storage device 660 (1)-(N), storage is set In standby 670 (1)-(N), storage device 690 (1)-(N), intelligent storage array 695 or its any combinations and performed.Herein All or part of of disclosed one or more illustrative embodiments can also be encoded as computer program, be stored in In server 640, run by server 645, and FTP client FTP 610,620 and 630 is assigned to by network 650.
As detailed above, the one or more assemblies of computing system 510 and/or network architecture 600 can individually or It is combined with other elements to perform and/or be performed as a kind of means for eliminating the redundant safety point to network packet The one or more steps of the illustrative methods of analysis.
Although disclosed above elaborate various embodiments, this paper institutes using specific block diagram, flow chart and example Each block diagram component, flow chart step, operation and/or the component for describing and/or showing can with the extensive hardware of use range, Software or firmware (or its any combinations) configuration carry out independent and/or common implementing.In addition, component in other assemblies Any disclosure should be considered as inherently exemplary, because can implement many other architectures to realize phase Congenerous.
In some instances, all or part of of the example system 100 in Fig. 1 can represent cloud computing environment or base In some of the environment of network.Cloud computing environment can provide various services and applications via internet.These bases In cloud service (for example, software i.e. service, platform i.e. service, infrastructure i.e. service etc.) can by web browser or its He conducts interviews at remote interface.Various functions described herein can by remote desktop environment or any other based on cloud Computing environment provides.
In various embodiments, all or part of of the example system 100 in Fig. 1 can promote based on cloud More leases in computing environment.In other words, software module described herein can match somebody with somebody computing system (for example, server) It is set to the more leases promoted for one or more functions described herein.For example, one or more described herein is soft Part module can run server programming on the server to make two or more clients (for example, client) to share Application program.The server programmed by this way can sharing application program, operation among multiple clients (that is, tenant) System, processing system, and/or storage system.One or more modules described herein can also be that each client segmentation is more The data and/or configuration information of tenant's application program so that a client can not access data and/or the configuration of another client Information.
According to various embodiments, all or part of of example system 100 in Fig. 1 can be real in virtual environment Apply.For example, module described herein and/or data can be resident and/or perform in virtual machine.As used herein, phrase " virtual machine " generally refers to any operation system abstracted by virtual machine manager (for example, management program) from computing hardware System environment.Additionally or alternatively, module and/or data described herein can be resident and/or perform in virtualization layer.Such as Phrase " virtualization layer " used herein generally refers to any data Layer for covering and/or being abstracted from operating system environment And/or application layer.Virtualization layer can be managed by software virtualization solution (for example, file system filter), described Software virtualization solution by virtualization layer be rendered as just look like virtualization layer be basis basic operating system part.Example Such as, software virtualization solution can be by the calling weight of the position in initial orientation to basic file system and/or registration table The position being directed in virtualization layer.
Procedure parameter and sequence of steps described herein and/or show only are provided by way of example and can roots According to needing to change.For example, although it is as shown herein and/or description the step of may show or discuss with particular order, but these Step is not necessarily required to perform by the order for showing or discussing.Various illustrative methods that are described herein and/or showing One or more of the step of being described herein or showing can be omitted, or also includes volume in addition to those disclosed steps Outer step.
Although describe and/or show various embodiment party in the case where giving full play to the background of computing system of function herein Formula, but one or more of these illustrative embodiments can distribute as the program product of diversified forms, without Consider the particular type of the computer-readable recording medium for being actually allocated.Embodiments disclosed herein can also Implemented using the software module for performing some tasks.These software modules can include script, batch processing, or can be stored in Other executable files on computer-readable recording medium or in computing system.In some embodiments, these software moulds Block can be by computer system configurations into performing one or more illustrative embodiments disclosed herein.
In addition, one or more modules described herein can be by the expression of data, physical equipment and/or physical equipment Another form is converted to from a kind of form.For example, one or more modules as described herein can intercept at the network equipment At least one network packet, switching network packet, the result of output network packet conversion, and the result using conversion The redundant safety that network packet performs is analyzed to eliminate.Additionally or alternatively, one or more modules as described herein can , will to be interacted by performing, storing data on the computing device on computing device and/or otherwise with computing device Processor, volatile memory, any other part of nonvolatile memory and/or physical computing devices turn from a kind of form It is changed to another form.
Description above is provided so that others skilled in the art can be best using disclosed herein The various aspects of illustrative embodiments.This exemplary description is not intended in detail or is confined to disclosed any essence True form.In the case where not departing from spirit and scope of the present disclosure, many modifications and variations are possible.It is disclosed herein Embodiment all should be considered as illustrative and not restrictive in all respects.Appended claims and its equivalent should be referred to To determine the scope of the present disclosure.
Unless otherwise stated, the term " one " used in the present description and claims should be interpreted to mean "...... at least one".In addition, for ease of using, the word " comprising " that uses in the present description and claims and " with " and word "comprising" it is interchangeable and with word "comprising" with identical meanings.

Claims (20)

1. a kind of computer implemented method for being used to eliminate the redundant safety analysis to network packet, at least the one of methods described Part is performed by the computing device including at least one processor, and methods described includes:
At least one network packet for being sent to destination computing device is intercepted at the network equipment;
Identification is arranged on the security system on the destination computing device;
It is determined that the security system on the destination computing device is unsatisfactory for predefined safety standard;
It is based at least partially on the security system for determining to be arranged on the destination computing device and is unsatisfactory for described predefine Safety standard, the network packet is performed at the network equipment and meets the safety of the predefined safety standard Analysis.
2. according to the method for claim 1, further comprise providing the server based on cloud, the service based on cloud Device:
Verify the destination computing device;
Obtain the information on the destination computing device;
The described information on the destination computing device is stored so that the network equipment is able to access that described information to know The security system that An Zhuan be on the destination computing device.
3. according to the method for claim 2, wherein verifying that the destination computing device includes:
User certificate is obtained from the user of the destination computing device;
The user from the destination computing device of the search validation database associated with the server based on cloud The user certificate obtained;
Identification calculates from the target while validation database associated with the server based on cloud is searched for The user certificate that the user of equipment obtains.
4. according to the method for claim 2, wherein the described information on the destination computing device specifies the following In it is at least one:
The security system on the destination computing device;
The current state of the security system on the destination computing device;
The security system is by the calendar date of recent renewal;
The network address associated with the destination computing device;
The brand or model of the destination computing device.
5. according to the method for claim 4, wherein identification is arranged on the security system on the destination computing device Including:
The identification destination-address associated with the network packet;
Pass through institute specified in the destination-address and the described information being stored on the server based on cloud Network address is stated to determine that the network packet is sent to the destination computing device;
After it is determined that the network packet is sent to the destination computing device, identification is stored on the server based on cloud Described information in the specified security system.
6. according to the method for claim 2, wherein it is the destination computing device to verify that the destination computing device includes Checking token is provided, the checking token is configured to guide the destination computing device in response to detecting to installed in described At least one modification of the security system on destination computing device and updating is stored on the server based on cloud Described information.
7. according to the method for claim 6, wherein obtain includes on the described information of the destination computing device:
The renewal of the modification of the identification to the security system is received from the destination computing device;
Be based at least partially on described information that the renewal of more newly arriving of the reception is stored on the server based on cloud with Consider the modification to the security system.
8. according to the method for claim 1, further comprise:
It is based at least partially on the safety analysis and pacifies to determine that the network packet is not formed to the destination computing device Full blast danger;
After it is determined that the network packet do not form the security risk to the destination computing device, by the network data Bag is forwarded to the destination computing device from the network equipment.
9. according to the method for claim 1, further comprise:
The safety analysis is based at least partially on to determine that the network packet forms safety to the destination computing device Risk;
After it is determined that the network packet forms the security risk to the destination computing device, isolate the network data Bag, rather than the network packet is forwarded to the destination computing device from the network equipment.
10. according to the method for claim 1, further comprise:
It is determined that the security system on the destination computing device meets different predefined safety standards;
The network packet is forwarded to the destination computing device from the network equipment, without to the network packet The safety analysis for meeting the different predefined safety standard is performed, because the institute on the destination computing device State security system and meet the different predefined safety standard.
11. according to the method for claim 1, wherein the safety analysis is including at least one in the following:
Intruding detection system (IDS) is analyzed;
Intrusion prevention system (IPS) is analyzed;
Anti-virus is analyzed;
Fire wall is analyzed.
12. a kind of be used to eliminate the system for analyzing the redundant safety of network packet, the system includes:
Blocking module, it is programmed to intercept at least one network packet for being sent to destination computing device at the network equipment;
Identification module, it is programmed to the security system that identification is arranged on the destination computing device;
Determining module, its described security system for being programmed to determine to be arranged on the destination computing device are unsatisfactory for predefining Safety standard;
Security module, it is programmed to be based at least partially on the security system on the destination computing device not Meet the determination of the predefined safety standard, the network packet is performed at the network equipment and meets institute State the safety analysis of predefined safety standard;
At least one processor, it is configured to perform the blocking module, the identification module, the determining module and described Security module.
13. system according to claim 12, further comprise the server based on cloud, the server bag based on cloud Include:
Authentication module, it is programmed to verify the destination computing device;
Information module, it is programmed to:
Obtain the information on the destination computing device;
The described information on the destination computing device is stored so that the network equipment is able to access that described information to know The security system that An Zhuan be on the destination computing device.
14. system according to claim 13, wherein the authentication module is programmed to:
User certificate is obtained from the user of the destination computing device;
The user from the destination computing device of the search validation database associated with the server based on cloud The user certificate obtained;
Identification calculates from the target while validation database associated with the server based on cloud is searched for The user certificate that the user of equipment obtains.
15. system according to claim 13, wherein the described information on the destination computing device specify it is following It is at least one in:
The security system on the destination computing device;
The current state of the security system on the destination computing device;
The security system is by the calendar date of recent renewal;
The network address associated with the destination computing device;
The brand or model of the destination computing device.
16. system according to claim 15, wherein the identification module is programmed to:
The identification destination-address associated with the network packet;
Pass through institute specified in the destination-address and the described information being stored on the server based on cloud Network address is stated to determine that the network packet is sent to the destination computing device;
After it is determined that the network packet is sent to the destination computing device, identification is stored on the server based on cloud Described information in the specified security system.
17. system according to claim 13, wherein the authentication module is programmed to carry for the destination computing device For verifying token, the checking token is configured to guide the destination computing device in response to detecting to installed in the mesh At least one modification and updating of the security system on mark computing device is stored in the institute on the server based on cloud State information.
18. system according to claim 17, wherein described information module is programmed to:
The renewal of the modification of the identification to the security system is received from the destination computing device;
Be based at least partially on described information that the renewal of more newly arriving of the reception is stored on the server based on cloud with Consider the modification to the security system.
19. system according to claim 12, wherein the safety analysis is including at least one in the following:
IDS is analyzed;
IPS is analyzed;
Anti-virus is analyzed;
Fire wall is analyzed.
20. a kind of non-transitory computer-readable storage media, it includes one or more computer executable instructions, the finger Order during at least one computing device of the network equipment by making the network equipment:
Intercept at least one network packet for being sent to destination computing device;
Identification is arranged on the security system on the destination computing device;
It is determined that the security system on the destination computing device is unsatisfactory for predefined safety standard;
The security system being based at least partially on the destination computing device is unsatisfactory for the predefined peace The determination of full standard, the safety analysis for meeting the predefined safety standard is performed to the network packet.
CN201380058872.7A 2012-11-27 2013-11-25 The system and method analyzed for the redundant safety eliminated to network packet Active CN104937897B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US13/686,099 US8955092B2 (en) 2012-11-27 2012-11-27 Systems and methods for eliminating redundant security analyses on network data packets
US13/686099 2012-11-27
PCT/US2013/071604 WO2014085293A1 (en) 2012-11-27 2013-11-25 Systems and methods for eliminating redundant security analyses on network data packets

Publications (2)

Publication Number Publication Date
CN104937897A CN104937897A (en) 2015-09-23
CN104937897B true CN104937897B (en) 2017-12-12

Family

ID=49765681

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201380058872.7A Active CN104937897B (en) 2012-11-27 2013-11-25 The system and method analyzed for the redundant safety eliminated to network packet

Country Status (5)

Country Link
US (1) US8955092B2 (en)
EP (1) EP2926523B1 (en)
JP (1) JP5985071B2 (en)
CN (1) CN104937897B (en)
WO (1) WO2014085293A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9424421B2 (en) * 2013-05-03 2016-08-23 Visa International Service Association Security engine for a secure operating environment
CN104125209B (en) * 2014-01-03 2015-09-09 腾讯科技(深圳)有限公司 Malice website prompt method and router
WO2016032491A1 (en) * 2014-08-28 2016-03-03 Hewlett Packard Enterprise Development Lp Distributed detection of malicious cloud actors
US9961105B2 (en) 2014-12-31 2018-05-01 Symantec Corporation Systems and methods for monitoring virtual networks
US10264020B1 (en) 2015-02-05 2019-04-16 Symantec Corporation Systems and methods for scalable network monitoring in virtual data centers
US10365913B2 (en) * 2016-05-12 2019-07-30 Symantec Corporation Systems and methods for updating network devices
CN112394683B (en) * 2020-11-24 2022-03-11 桂林电子科技大学 File transmission method using industrial control system
CN114826916A (en) * 2021-01-28 2022-07-29 阿里巴巴集团控股有限公司 Data transmission method, device, system and computer storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1783811A (en) * 2004-09-29 2006-06-07 微软公司 Isolating software deployment over a network from external malicious intrusion
CN101167280A (en) * 2005-05-03 2008-04-23 微软公司 Network access protection
US7891001B1 (en) * 2005-08-26 2011-02-15 Perimeter Internetworking Corporation Methods and apparatus providing security within a network

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5793763A (en) * 1995-11-03 1998-08-11 Cisco Technology, Inc. Security system for network address translation systems
US7076650B1 (en) * 1999-12-24 2006-07-11 Mcafee, Inc. System and method for selective communication scanning at a firewall and a network node
US20020095588A1 (en) * 2001-01-12 2002-07-18 Satoshi Shigematsu Authentication token and authentication system
GB0109299D0 (en) * 2001-04-12 2001-05-30 British Telecomm Hybrid network
US7640434B2 (en) 2001-05-31 2009-12-29 Trend Micro, Inc. Identification of undesirable content in responses sent in reply to a user request for content
JP3948668B2 (en) * 2003-03-12 2007-07-25 日本電信電話株式会社 Security automatic setting device, security automatic setting method, and recording medium
US20090313682A1 (en) 2004-01-06 2009-12-17 Saeed Rajput Enterprise Multi-interceptor Based Security and Auditing Method and Apparatus
JP4160004B2 (en) * 2004-03-03 2008-10-01 株式会社エヌ・ティ・ティ・データ Access control system
US8565726B2 (en) * 2008-11-06 2013-10-22 Mcafee, Inc. System, method and device for mediating connections between policy source servers, corporate repositories, and mobile devices
JP2006252256A (en) * 2005-03-11 2006-09-21 Nec Soft Ltd Network management system, method and program
US7636938B2 (en) 2005-06-30 2009-12-22 Microsoft Corporation Controlling network access
JP2007272396A (en) * 2006-03-30 2007-10-18 Nec Personal Products Co Ltd Security management system, relay device, and program
JP4361570B2 (en) * 2007-02-26 2009-11-11 日本電信電話株式会社 Packet control instruction management method
JP2009005122A (en) * 2007-06-22 2009-01-08 Panasonic Corp Illegal access detection apparatus, and security management device and illegal access detection system using the device
JP4681589B2 (en) * 2007-09-05 2011-05-11 ニフティ株式会社 Network connection control method, program, and computer
US20100011432A1 (en) * 2008-07-08 2010-01-14 Microsoft Corporation Automatically distributed network protection
TW201227395A (en) * 2010-12-22 2012-07-01 Hon Hai Prec Ind Co Ltd Cloud data security controlling system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1783811A (en) * 2004-09-29 2006-06-07 微软公司 Isolating software deployment over a network from external malicious intrusion
CN101167280A (en) * 2005-05-03 2008-04-23 微软公司 Network access protection
US7891001B1 (en) * 2005-08-26 2011-02-15 Perimeter Internetworking Corporation Methods and apparatus providing security within a network

Also Published As

Publication number Publication date
JP2016506115A (en) 2016-02-25
CN104937897A (en) 2015-09-23
EP2926523B1 (en) 2016-09-21
JP5985071B2 (en) 2016-09-06
US20140150081A1 (en) 2014-05-29
EP2926523A1 (en) 2015-10-07
US8955092B2 (en) 2015-02-10
WO2014085293A1 (en) 2014-06-05

Similar Documents

Publication Publication Date Title
CN104937897B (en) The system and method analyzed for the redundant safety eliminated to network packet
CN106599694B (en) Security protection manages method, computer system and computer readable memory medium
AU2015374078B2 (en) Systems and methods for automatically applying firewall policies within data center applications
EP2822248B1 (en) Methods and systems for use in analyzing cyber-security threats in an aviation platform
CN102792307B (en) The system and method for NS software is provided in virtual environment
US20190141022A1 (en) On-premise and off-premise communication
US8943587B2 (en) Systems and methods for performing selective deep packet inspection
US11902145B2 (en) Generating and deploying security policies for microsegmentation
US8973090B1 (en) Systems and methods for protecting platform-as-a-service platforms
US11727101B2 (en) Methods and systems for verifying applications
CN104769598A (en) Systems and methods for detecting illegitimate applications
US20180089001A1 (en) Cloud container resource binding and tasking using keys
US9882931B1 (en) Systems and methods for detecting potentially illegitimate wireless access points
JP2013257773A (en) Monitoring device and monitoring method
US9122869B1 (en) Systems and methods for detecting client types
US9146950B1 (en) Systems and methods for determining file identities
CN115314257A (en) Authentication method and device of file system, electronic equipment and computer storage medium
CN111447080B (en) Private network decentralization control method, device and computer readable storage medium
US9699140B1 (en) Systems and methods for selecting identifiers for wireless access points
CN109714371B (en) Industrial control network safety detection system
US11157609B1 (en) Apparatus, system, and method for secure execution of unsigned scripts
Deivendran et al. Scalability and security requirements for the Internet of Things architecture
US11122040B1 (en) Systems and methods for fingerprinting devices
US20230018210A1 (en) Application identity-based enforcement of datagram protocols
Wang et al. A mobile botnet model based on android system

Legal Events

Date Code Title Description
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: California, USA

Patentee after: Norton weifuke Co.

Address before: California, USA

Patentee before: Symantec Corp.

CP01 Change in the name or title of a patent holder
CP02 Change in the address of a patent holder

Address after: Arizona, USA

Patentee after: Norton weifuke Co.

Address before: California, USA

Patentee before: Norton weifuke Co.

CP02 Change in the address of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Arizona

Patentee after: Keane Digital Co.

Address before: Arizona

Patentee before: Norton weifuke Co.

CP01 Change in the name or title of a patent holder